Yes, Consumer Privacy is a “Reasonable Expectation”

Courts and the Constitution recognize privacy as a fundamental interest of citizens. Why shouldn’t consumers be entitled to the same consideration? A Manifesto.

A while back, I was working with a brilliant startup, whose technology allows you to make private, peer-to-peer connections among all your machines and devices, without the company ever storing, touching, or looking at any of your data or files. The company is using this technology to develop a consumer-grade product that would offer all the convenience of cloud storage, at a fraction of the cost, and without requiring users to entrust their data to third parties who might expose that personal data – either through the nefarious exploits of others or for their own commercial gain.

This seems like a simple, compelling, and obviously desirable idea to me. Why wouldn’t I want seamless, private access to all my files, wherever I go, without relying on a third-party intermediary whose affiliates and activities are outside my control? I might appreciate the redundancy of a cloud storage service, and use it as backup for non-sensitive information. But my private records and files should be stored privately, where I can see them whenever I want, and where they’re unlikely to ever to get swept up in a criminal exploit or mass seizure, or be used to develop a marketing profile of me and my family.

So I was genuinely surprised when some people that we spoke with didn’t see the market for the product, asking “why would you need privacy, if you have nothing to hide?” They thought privacy-guarding tools were somehow only for criminals, terrorists, and the tinfoil-hat crowd. That is, not “people like us” – educated, law-abiding citizens with ordinary social and commercial activities and concerns.

Indeed, some folks seem to think that the desire for privacy is itself an affliction – although in some cases this seems to me more of a justification for a certain kind of carny exhibitionism than an effort at searching social commentary. And there’s another attitude, a close corollary, when the private information of a public figure is disclosed, that they had no right to privacy anyway.

What’s so bad about privacy?

Why shouldn’t consumers expect their privacy to be respected in the ordinary course of business? After all, the right to privacy is a commonplace and fundamental component of the design of the modern state, in the US and around the world. In the US, courts (and by extension the police) protect the privacy interests even of those suspected or accused of the most heinous crimes. So why shouldn’t ordinary citizens think their records and communication ought to benefit from the same protection?

And in particular, why would consumer-facing entities be held to a lower standard than government entities? At least the government might argue that there is a public interest to be served by its surveillance activities, but what public interests are served by privately held businesses like messaging companies and data collectors? Why would we give businesses a pass relative to our privacy as consumers, when we demand that our governments respect our privacy as citizens?

The Constitutional Model: limited access

The government’s ability to snoop around in your stuff is limited by various sections of the Bill of Rights – we’ll get into those in more detail in future posts – but the guiding principle is that the government can’t eavesdrop on your conversations or rummage through your files at places and times where you have a “reasonable expectation of privacy.” Over the years, we have developed a cultural model of private places and times, and the law has developed in tandem to guide government actors on when they can invade that privacy without penalty (we’ll talk later about the cost to government actors of illicit invasion of privacy, and by extension to all of us as taxpayers, citizens, and innocent bystanders).

In some cases, we (the people, through our elected representatives) have codified this “reasonable expectation” into statutes that regulate commercial undertakings. For instance, HIPAA controls the flow of private patient information, with formidable penalties for unauthorized disclosure; FERPA governs the use and disclosure of student information; FCRA keeps your potential employer from snooping around your credit report; and COPPA penalizes websites that collect and store the personal information of minors.

Clearly we recognize some commercial circumstances where the desire for privacy is considered reasonable, and we require commercial actors to submit to government monitoring and enforcement. We have agreed that some people – the mom communicating with her child’s school, the patient whose doctor sends records on his unusual case to medical journal, and the job applicant who bounced a check when she was 17 – all benefit from a reasonable expectation of privacy when dealing with a commercial institution. And we have made laws to enforce these expectations when dealing with commercial entities, but they only cover private information in certain, specific situations, and turn over the enforcement of privacy norms to government agencies (FTC, etc). How about putting comprehensive control of private information in the hands of its owners, the consumers who interact with these entities on a daily basis?

Translating public to private

Children, patients, people with bank accounts, job-seekers: all benefit from statutory protection of privacy. That these privacy-protection statutes ever arose, often against formidable lobbying efforts by businesses, demonstrates the strength of our shared cultural expectations around privacy. But the people hearing our software pitch didn’t think the product would succeed, by appealing to these same cultural norms, when dealing with the private information of consumers.

I have a few theories about why this might be, and a rather dazzling conclusion, and will go into them over a series of posts. But first, we’ll cover the backstory a bit, discuss the patchwork of laws in the US that reflect our cultural norms about privacy, and look at other cultures’ standards for recognizing individual privacy.

Next up: do The Rules around privacy really reflect prevalent community values? Who decides, and how?